From e7d01ef57659776b31a5d3fb7245ddb0f93b124d Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Fri, 20 Mar 2026 21:47:28 -0400
Subject: [PATCH] Return 404 (not 403) for inaccessible tickets in
 TicketController

Returning 403 Forbidden leaks the existence of tickets to users who
should not know about them. Use 404 Not Found consistently across all
access-controlled endpoints to prevent enumeration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 controllers/TicketController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controllers/TicketController.php b/controllers/TicketController.php
index de45ad6..2d41e11 100644
--- a/controllers/TicketController.php
+++ b/controllers/TicketController.php
@@ -42,10 +42,10 @@ class TicketController {
             return;
         }
 
-        // Check visibility access
+        // Check visibility access — return 404 rather than 403 to avoid leaking ticket existence
         if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) {
-            header("HTTP/1.0 403 Forbidden");
-            echo "Access denied: You do not have permission to view this ticket";
+            header("HTTP/1.0 404 Not Found");
+            echo "Ticket not found";
             return;
         }